Earlier this morning, the FTC proposed additional revisions to the rule implementing the Children’s Online Privacy Protection Act (“COPPA”).  COPPA governs the online collection, use, and disclosure of children’s personal information by (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13.  The FTC initially proposed revisions to the COPPA Rule in September 2011, and based on comments that it received, is proposing additional changes for comment.  Comments to this supplemental proposed rule must be submitted by September 10, 2012.  No final rules were adopted at this time.

The supplemental proposed rule revises the definitions of several key terms, including “operator,” “website or online service directed to children,” “personal information,” and “support for internal operations.”

  • Operator:  The revisions would expand the definition of “operator” to include third parties, such as social plug-ins and ad networks, that know or have reason to know that they collect personal information through child-directed websites and online services.  The FTC previously had rejected a constructive knowledge standard.  The notice suggests that website operators and such third parties would be deemed  “co-operators” that would be jointly responsible for complying with COPPA.
  • Website or Online Service Directed to Children:  The revised definition would allow family friendly websites that are directed to both children and a broader audience to comply with COPPA without treating all users as children, instead providing COPPA protections only to users under the age of 13.
  • Screen and Usernames:  The revisions would clarify that screen or usernames would be covered only where they function as online contact information.
  • Personal Information: The new proposed definition would include persistent identifiers that can be used to identify users over time and across different sites and services.
  • Support for Internal Operations: Activities that are required to manage and operate a site will not be deemed to have collected personal information if they do not use or disclose the information for the purposes of contacting an individual.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.